Common Zero-Day Network Protection Approaches and Drawbacks (Part 1)

By Mor Ahuvia, Threat Prevention Product Marketing Manager

Can you defend against zero day threats? Most organizations cannot. But with the right technology, organizations can not only detect more zero days, but also stave them off–without having to compromise on business agility or speed. Here is Part 1 of our four part series on “Stopping Zero Days at the Speed of Business.”

At best, antivirus software blocks only 43% of the malware strains currently in the wild, meaning most variants can still get into your network. In absolute numbers, that’s 8,500 unknown zero-day threats worldwide per day, according to Check Point ThreatCloud which aggregates data from several hundred million sensors globally and proprietary Check Point Research.

To identify zero-day malware, AV software relies on indicators of compromise (IoCs) such as IP addresses, URLs and file signature or hashes. The zero-day phishing equivalent of these IoCs, used by anti-spam and email security controls, are unknown URL reputation and sender reputation.

With no associated file signatures, sender or website history, AVs, firewalls and other controls cannot identify these as malicious and block them from entering the network. So how do you defend against that which you do not know?

Common network protection approaches and their limitations

Sandboxes – Deployed on top of static code analysis, conventional sandboxes examine the behavior of unknown or suspicious files to determine if they are malicious. However, they are susceptible to malware evasion techniques, such as preventing execution in the event that a virtual environment is detected. Also, by default, they are configured to let suspicious files into the network, before analysis is complete and a verdict is reached. Why? Because waiting for eight to 20 minutes is often impractical, especially when it comes to downloading a file from the web (For details, see Check Point’s Malware Evasion Encyclopedia.)

Endpoint security – Serving as a last line of defense, solutions such as EPPs and EDRs inspect an exhaustive number of endpoint activities and behaviors and generate alerts in the event of suspicious activity. They are therefore instrumental in threat hunting and threat remediation performed post-infection. However, not all resources can be protected with an endpoint agent. This includes enterprise IoT devices such as surveillance cameras, elevators and HVAC systems for which the network security gateway is usually the first and last line of defense. Similarly, data centers cannot be protected with endpoint solutions, as they consist of dozens—if not hundreds—of servers with specialized OSs ( Unix, Linux, Oracle), appliances and other equipment—for which network security serves as the only line of defense.

Detection-first approach using incident response – Giving up on the notion of threat prevention, some organizations place their investments in post-breach incident response, aiming to curtail damages that arise from a breach. This is done using in-house SOC teams, or outsourced MSSP or MDR teams entrusted with monitoring the organization’s security and following up on alerts. The problem with relying mainly on this approach is that it’s expensive, with an average breach costing $960,000 to remediate. Second, the damage is likely to have already been done at this stage of an attack (for example, with files already encrypted in the event of a ransomware attack).

With such critical limitations, how can you protect your network from zero-days?